rails/0001-ruby-1.9-friendly-secure_compare.patch

   1 --- activesupport/lib/active_support/message_verifier.rb
   2 +++ activesupport/lib/active_support/message_verifier.rb
   3 @@ -40,14 +40,27 @@ module ActiveSupport
   4      private
   5        # constant-time comparison algorithm to prevent timing attacks
   6        def secure_compare(a, b)
   7 -        if a.length == b.length
   8 -          result = 0
   9 -          for i in 0..(a.length - 1)
  10 -            result |= a[i] ^ b[i]
  11 +        if a.respond_to?(:bytesize)
  12 +          # > 1.8.6 friendly version
  13 +          if a.bytesize == b.bytesize
  14 +            result = 0
  15 +            j = b.each_byte
  16 +            a.each_byte { |i| result |= i ^ j.next }
  17 +            result == 0
  18 +          else
  19 +            false
  20            end
  21 -          result == 0
  22          else
  23 -          false
  24 +          # <= 1.8.6 friendly version
  25 +          if a.size == b.size
  26 +            result = 0
  27 +            for i in 0..(a.length - 1)
  28 +              result |= a[i] ^ b[i]
  29 +            end
  30 +            result == 0
  31 +          else
  32 +            false
  33 +          end
  34          end
  35        end
  36
  37 --
  38 1.6.0.4
  39